CVE-2024-29371
Unknown Unknown - Not Provided
Denial-of-Service in jose4j via Malicious JWE Token Decompression

Publication date: 2025-12-17

Last updated on: 2025-12-17

Assigner: MITRE

Description
In jose4j before 0.9.5, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-17
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2024-29371
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jose4j jose4j *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1259 The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Upgrade jose4j to version 0.9.5 or later to prevent processing of malicious JWE tokens that cause Denial-of-Service conditions.

Executive Summary

This vulnerability in jose4j before version 0.9.5 allows an attacker to create a malicious JSON Web Encryption (JWE) token with an extremely high compression ratio. When the server processes this token, it causes excessive memory allocation and processing time during decompression, leading to a Denial-of-Service (DoS) condition.

Impact Analysis

The impact of this vulnerability is a Denial-of-Service (DoS) condition on the server processing the malicious JWE token. This means the server could become unresponsive or crash due to excessive resource consumption caused by decompressing the crafted token.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-29371. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart